Researchers at the information security company Check Point Research have found ten Android applications in the Play Store digital content store that contain the Clast82 dropper Trojan used to distribute the banking Trojan AlienBot and the mRAT malware. According to the available data, all detected malicious applications have already been removed from the Google platform.
The source says that the dropper was disguised as legitimate products for the Android software platform by cybercriminals. All problematic applications were utility utilities such as Cake VPN, Pacific VPN, BeatPlayer, QR / Barcode Scanner MAX, QRecorder, etc. The functionality of the utilities was taken from legitimate open source Android applications by the attackers.
It is reported that the suspicious activity of these applications was not detected by standard Google verification tools, the Firebase cloud service was used for remote malware management, and banking trojans were downloaded from repositories on GitHub.
It is also noted that the dropper could independently determine when to activate malicious functions, and when it is not necessary to do so, so as not to be detected. The researchers note that usually malicious functions were deactivated while the application was being tested, and after being published on the Play Store, they were automatically turned on. With regard to downloadable malware, mRAT was used by cybercriminals to gain remote access to infected devices, while AlienBot allowed malicious code to be injected into legitimate banking applications installed on victims’ devices.
If you notice an error, select it with the mouse and press CTRL + ENTER.